GAO INFORMATION SECURITY. Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk

Transcription

1 GAO United States Government Accountability Office Report to Congressional Committees November 2010 INFORMATION SECURITY Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk GAO-11-43

2 Accountability Integrity Reliability Highlights of GAO-11-43, a report to congressional committees November 2010 INFORMATION SECURITY Federal Agencies Have Taken Steps to Secure Wireless Networks, but Further Actions Can Mitigate Risk Why GAO Did This Study Over the past several years, federal agencies have rapidly adopted the use of wireless technologies for their information systems. In a 2005 report, GAO recommended that the Office of Management and Budget (OMB), in its role overseeing governmentwide information security, take several steps to help agencies better secure their wireless networks. GAO was asked to update its prior report by (1) identifying leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks and (2) assessing agency efforts to secure wireless networks, including their vulnerability to attack. To do so, GAO reviewed publications, guidance, and other documentation and interviewed subject matter experts in wireless security. GAO also analyzed policies and plans and interviewed agency officials on wireless security at 24 major federal agencies and conducted additional detailed testing at these 5 agencies: the Departments of Agriculture, Commerce, Transportation, and Veterans Affairs, and the Social Security Administration. What GAO Recommends GAO is making two recommendations to OMB to enhance governmentwide oversight and four recommendations to the Department of Commerce for additional guidelines related to wireless security. The Department of Commerce concurred with GAO s recommendations. OMB did not provide comments on the report. View GAO or key components. For more information, contact Gregory Wilshusen at (202) or wilshuseng@gao.gov or Nabajyoti Barkakati at (202) or barkakatin@gao.gov. What GAO Found GAO identified a range of leading security practices for deploying and monitoring secure wireless networks and technologies that can help secure these networks. The leading practices include the following: comprehensive policies requiring secure encryption and establishing usage restrictions, implementation practices, and access controls; a risk-based approach for wireless deployment and monitoring; a centralized wireless management structure that is integrated with the management of the existing wired network; configuration requirements for wireless networks and devices; incorporation of wireless and mobile device security in training; use of encryption, such as a virtual private network for remote access; continuous monitoring for rogue access points and clients; and regular assessments to ensure wireless networks are secure. Agencies have taken steps to secure their wireless networks, but more can be done to improve security and to limit vulnerability to attack. Specifically, application was inconsistent among the agencies for most of the following leading practices: Most agencies developed policies to support federal guidelines and leading practices, but gaps existed, particularly with respect to dualconnected laptops and mobile devices taken on international travel. All agencies required a risk-based approach for management of wireless technologies. Many agencies used a decentralized structure for management of wireless, limiting the standardization that centralized management can provide. The five agencies where GAO performed detailed testing generally securely configured wireless access points but had numerous weaknesses in laptop and smartphone configurations. Most agencies were missing key elements related to wireless security in their security awareness training. Twenty agencies required encryption, and eight of these agencies specified that a virtual private network must be used; four agencies did not require encryption for remote access. Many agencies had insufficient practices for monitoring or conducting security assessments of their wireless networks. Existing governmentwide guidelines and oversight efforts do not fully address agency implementation of leading wireless security practices. Until agencies take steps to better implement these leading practices, and OMB takes steps to improve governmentwide oversight, wireless networks will remain at an increased vulnerability to attack. United States Government Accountability Office

3 Contents Letter 1 Background 2 Comprehensive Policies, Use of Secure Technologies, Risk-Based Approach, Training, and Monitoring Among Leading Practices for Deploying and Monitoring Secure Wireless Networks 17 Agencies Have Acted to Secure Wireless Networks, but Additional Steps Are Needed to Effectively Mitigate Security Challenges 26 Conclusions 37 Recommendations for Executive Action 38 Agency Comments and Our Evaluation 39 Appendix I Objectives, Scope, and Methodology 40 Appendix II Comments from the Department of Commerce 43 Appendix III GAO Contacts and Staff Acknowledgments 45 Tables Table 1: Examples of Network Security Threats 8 Table 2: Wireless Security Guidelines Identified in NIST Guidelines 13 Table 3: Guidelines in NIST Publications Addressing Recommendations from GAO Table 4: Leading Practices for Securing Wireless Networks and Technologies 17 Figures Figure 1: Example of a Wireless Infrastructure Mode Network 4 Figure 2: Example of Wireless Ad Hoc Networking 5 Figure 3: Dual-Connect Attack Scenario 10 Figure 4: Wireless Man-in-the-Middle Attack Scenario 11 Figure 5: Smartphone Data Attack Scenario 11 Page i

4 Abbreviations DISA Defense Information Systems Agency DHS Department of Homeland Security EAP extensible authentication protocol FDCC Federal Desktop Core Configuration FIPS Federal Information Processing Standards FISMA Federal Information Security Management Act IEEE Institute of Electrical and Electronics Engineers IT information technology IPv6 Internet protocol version 6 NIST National Institute of Standards and Technology OMB Office of Management and Budget PDA personal digital assistant SP Special Publications VPN virtual private network WEP wired equivalent privacy WiMAX Worldwide Interoperability for Microwave Access WPA Wi-Fi Protected Access WLAN wireless local area network This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page ii

5 United States Government Accountability Office Washington, DC November 30, 2010 The Honorable Richard J. Durbin Chairman The Honorable Susan Collins Ranking Member Subcommittee on Financial Services and General Government Committee on Appropriations United States Senate The Honorable José E. Serrano Chairman The Honorable Jo Ann Emerson Ranking Member Subcommittee on Financial Services and General Government Committee on Appropriations House of Representatives In the last several years, federal agencies have increasingly adopted the use of wireless technologies. While wireless technologies provide many potential benefits, including greater flexibility for a mobile workforce and ease of installation and use, they also pose significant risks to information and systems. Wireless technologies use radio waves instead of direct physical connections to transmit data between networks and devices. As a result, without proper security precautions, these data can be more easily intercepted and altered than if being transmitted through physical connections. We have previously reported on the security of wireless networks at federal agencies in The conference report accompanying the Financial Services and General Government Appropriations Act, 2010, directed us to update our 2005 report. 2 Accordingly, our objectives for this report were to: (1) identify leading practices and state-of-the-art 1 GAO, Information Security: Federal Agencies Need to Improve Controls over Wireless Networks, GAO (Washington, D.C.: May 17, 2005). 2 H.R. Conf. Rep. No , at 914 (2009). We briefed the committees on the preliminary results of our review on April 13, Page 1

6 technologies for deploying and monitoring secure wireless networks and (2) assess agency efforts to secure wireless networks, including their vulnerability to attack. To identify leading practices and state-of-the-art technologies for deploying and monitoring secure wireless networks, we obtained and reviewed publications, guidance, and other documentation, and interviewed private and federal subject matter experts. To assess agency efforts to secure wireless networks, we reviewed agency documents and conducted structured interviews with agency officials to learn about the wireless posture at 24 major federal agencies. 3 We supplemented these questions with site visits and detailed testing of wireless security controls at five of the agencies. We conducted this performance audit from January 2010 to November 2010, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I contains additional details on the objectives, scope, and methodology of our review. Background The advantages of wireless technology for federal agencies include increased flexibility, easier installation, and easier scalability than wired technologies. If a federal agency has installed a wireless infrastructure, users with wireless-enabled devices can more easily connect to the agency s network throughout its facilities. In addition, agency employees traveling with wireless-enabled devices may be able to connect to an agency network via any one of the many public Internet access points or hot spots. Installation can be easier and less costly because the network can be established without having to pull cables through walls or ceilings or modify the physical network infrastructure. Wireless networks can also 3 The 24 major federal agencies are the Agency for International Development; the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; the General Services Administration; the National Aeronautics and Space Administration; the National Science Foundation; the Nuclear Regulatory Commission; the Office of Personnel Management; the Small Business Administration; and the Social Security Administration. Page 2

7 be easily scaled from small peer-to-peer networks to very large enterprise networks. For example, an agency can greatly expand the size of its wireless network and the number of users it can serve by increasing the number of access points. The following wireless technologies are commonly used by federal agencies: wireless local area network (WLAN) a group of wireless networking nodes within a limited geographic area that serve as an extension to existing wired local area networks; wireless personal area network used to establish small-scale wireless networks such as those using Bluetooth, which is an open standard for short-range communication; and wireless cellular networks a telecommunications network managed by a service provider that supports smartphones, which offer the ability to provide data such as and Web browsing wirelessly over cellular networks, and cellular data cards, which provide Internet connectivity to laptop computers. Wireless Local Area Networks WLANs are generally composed of two basic elements: access points and other wireless-enabled client devices, such as laptop computers. These elements rely on radio transmitters and receivers to communicate with each other. Access points are physically wired to a conventional network and provide a means for wireless devices to connect to them. WLANs that are based on the Institute of Electrical and Electronics Engineers 4 (IEEE) standards are also known as Wi-Fi. WLANs are characterized by one of the following two basic structures, referred to as infrastructure mode and ad hoc mode: Infrastructure mode. By deploying one or more access points that broadcast overlapping signals, an organization can achieve broad wireless network coverage. Infrastructure mode enables a laptop or other mobile device to be moved about freely while maintaining access to the resources of the wired network (see fig. 1). 4 IEEE is a professional association focused on electrical and computer sciences, engineering, and related disciplines. IEEE is responsible for developing technical standards through the IEEE Standards Association, which follows consensus-based standards development processes. Page 3

8 Figure 1: Example of a Wireless Infrastructure Mode Network Traditional wired network Wireless access point Sources: GAO; Microsoft Visio and Art Explosion (images). Ad hoc mode. This type of wireless structure allows wireless devices that are near one another to easily interconnect. In ad hoc mode, wirelessenabled devices can share network functionality without the use of an access point or a wired network connection (see fig. 2). Page 4

9 Figure 2: Example of Wireless Ad Hoc Networking Sources: GAO; Microsoft Visio and Art Explosion (images). After approval of the initial IEEE standard in 1997, IEEE released several amendments to increase WLAN network speeds to be more comparable to that of wired networks. The standard and these subsequent amendments include security features known collectively as wired equivalent privacy (WEP). However, configurations that use WEP have significant security flaws. To address these flaws, IEEE released the i security standard in 2004, which specifies security components that work together with transmission standards. The IEEE i security standard supports wireless connections that provide moderate to high levels of assurance against WLAN security threats through the use of different cryptographic techniques. While IEEE was developing i, the Wi-Fi Alliance 5 developed the Wi- Fi Protected Access (WPA) security certification as an interim means to 5 The Wi-Fi Alliance is a nonprofit international association that has the goal of certifying the interoperability of WLAN products based on IEEE specifications. Page 5

10 improve security over WEP. The protocols used under the WPA certification address vulnerabilities of WEP, but the certification does not require support for strong encryption. In conjunction with the ratification of the i security standard in 2004, the Wi-Fi Alliance introduced WPA2 the interoperability certification for i. The WPA2 certification extends the security capabilities offered by WPA to include all requirements of the i standard. Both WPA and WPA2 offer two modes of operation: Personal and Enterprise. WPA2-Personal protects unauthorized network access by using a preshared password as a key for network setup and access, while WPA2-Enterprise verifies network users through an authentication server. In most cases, WPA2-Enterprise is recommended to eliminate the continuous process of generating, deploying, and replacing outdated passwords. Although WPA2-Enterprise-certified products provide more security protections than WEP and WPA, recent reports revealed that wireless networks protected with WPA2-Enterprise encryption can also be susceptible to attacks. Most recently, in 2009, IEEE ratified the w-2009 standard, which further increases the overall security of based networks. Specifically, w-2009 provides improved protection for WLANs by defining additional encryption security features to help prevent incidents such as denial of service attacks against WLANs. Wireless Personal Area Networks Wireless personal area networks provide wireless connectivity to devices such as telephone headsets or computer keyboards within close proximity. Bluetooth is commonly used to establish these types of networks. Several versions of the Bluetooth standard have been adopted by the Bluetooth Special Interest Group. 6 Each Bluetooth device must operate in one of the four security modes defined by the Bluetooth standard. Each version of Bluetooth supports some, but not all, of these modes. 6 The Bluetooth Special Interest Group is a not-for-profit trade association developed to serve as the governing body for Bluetooth specifications. Page 6

11 Wireless Cellular Networks Cellular networks are managed by service providers who provide coverage based on dividing a large geographical service area into smaller areas of coverage called cells. As a mobile phone moves from one cell to another, a cellular arrangement requires active connections to be monitored and effectively passed along between cells to maintain the connection. In addition to cellular phones, cellular networks support smartphones and cellular data cards. Smartphones offer more functionality than basic cellular phones, including and other office productivity applications and have extended expansion capabilities through peripheral card slots and other built-in wireless communications such as Bluetooth and Wi-Fi. Cellular data cards allow laptop users to connect to the Internet anywhere cellular service is available. However, cellular data cards can only access the Internet if the user is within the service provider s network coverage area. Federal Agencies Make Widespread Use of Wireless Technologies Agencies reported significant use of WLANs to extend working mobility for employees and contractors. For example, 18 agencies reported using WLANs in a variety of ways. Five agencies reported having wireless networks available for headquarters along with field offices or components. Twelve other agencies reported that components have different wireless practices than headquarters. For example, one major agency reported no WLANs at its headquarters, but it has components that use them. Further, several agencies use wireless networks for more limited purposes than connecting to the core agency network. Specifically, five agencies reported offering WLANs that connect directly to the Internet for use in conference rooms or other public spaces. Another agency reported using wireless access points to provide Internet connectivity at outdoor construction sites. Personal area networks using Bluetooth technology were also reported by many agencies. Specifically, 14 agencies reported using Bluetooth devices. Ten agencies reported permitting cellular phone users to connect wireless headsets, and four agencies reported permitting wireless keyboards or mice. Agencies also reported extensive use of smartphones and cellular data cards. All 24 agencies we queried reported using smartphones, primarily the BlackBerry brand. Agencies smartphone management structures included: management through a central server located at the department level or at the component level and one component or office providing smartphone management to another office. Seventeen agencies reported using cellular data cards to provide Internet connectivity to user laptops. Page 7

12 These cards and services are typically provided by commercial telecommunications carriers. Wireless Technologies Are Susceptible to Security Risks Without proper safeguards, computer systems are vulnerable to individuals and groups with malicious intent who can intrude and use their access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. The risk to these systems is well-founded for a number of reasons, including the dramatic increase in reports of security incidents, the ease of obtaining and using hacking tools, and steady advances in the sophistication and effectiveness of attack technology. Table 1 provides a compilation of threats to wireless and wired networks as identified by the National Institute of Standards and Technology (NIST). Table 1: Examples of Network Security Threats Denial-of-service Eavesdropping Man-in-the-middle Masquerading Message modification Message replay Misappropriation Traffic analysis Preventing or limiting the normal use or management of networks or network devices. Passively monitoring network communications for data, including authentication credentials. Actively impersonating multiple legitimate parties, such as appearing as a client to an access point and appearing as an access point to a client. Allows attacker to intercept communications between an access point and a client, thereby obtaining authentication credentials and data. Impersonating an authorized user and gaining unauthorized privileges. Altering a legitimate message by deleting, adding to, changing, or reordering it. Passively monitoring transmissions and retransmitting messages, acting as if the attacker were a legitimate user. Stealing or making unauthorized use of a service. Passively monitoring transmissions to identify communication patterns and participants. Source: GAO analysis of NIST data. Wireless networks also face challenges that are unique to their environment. A significant difference between wireless and wired networks is the relative ease of intercepting WLAN transmissions. For WLANs, attackers only need to be in range of wireless transmissions and do not have to gain physical access to the network or remotely compromise systems on the network. WLANs also have to protect against the deployment of unauthorized wireless devices, such as access points, Page 8

13 that are configured to appear as part of an agency s wireless network infrastructure. In implementing wireless networks, federal agencies need to address these challenges to maintain the confidentiality, integrity, and availability of the information. Bluetooth-enabled devices are susceptible to general networking threats and are also threatened by more specific Bluetooth-related attacks such as bluesnarfing, which enables attackers to gain access to a Bluetoothenabled device by exploiting a software flaw in older devices. Smartphones are also susceptible to general networking threats and face additional security risks. Those risks include those caused by their size and portability, as well as the availability of different wireless interfaces and associated services. For example, the size and portability of smartphones can result in the loss of physical control of a device that could reveal sensitive data to an unauthorized user. Recent articles released by the media reinforce the need for federal agencies to secure their wireless networks and devices. Examples of reported incidents and risks include the following: A retail company admitted in 2007 that hackers located and tested wireless networks for vulnerabilities and installed programs on these networks to steal the credit card information of more than 45 million consumers. An assessment of wireless vulnerability conducted in 2008 at 27 airports that had wireless networks found that personal information could be leaked because only 3 percent of hot spot users used a virtual private network (VPN) 7 to encrypt their data. In 2009, a counterintelligence official described how smartphones could have been tagged, tracked, monitored, and exploited at the 2008 Beijing Olympics. The malicious software could have also posed a threat to servers in the United States. 7 A VPN is a private network that is maintained across a shared or public network, such as the Internet, by means of specialized security procedures. VPNs are intended to provide secure connections between remote clients, such as branch offices or traveling personnel and a central office. Page 9

14 Scenarios Provide Examples of Attacks Using Wireless Vulnerabilities The following scenarios (figs. 3-5) provide examples of well-known attacks used to exploit vulnerabilities in wireless technologies. These scenarios do not represent all possible attacks on wireless technology vulnerabilities. In a dual-connect scenario (see fig. 3), the attacker exploits insecure laptop configurations to gain unauthorized access to an organization s core network. Figure 3: Dual-Connect Attack Scenario 1 2 A target laptop has a wired connection to the agency network. With wireless enabled, the target laptop automatically looks for any previously connected wireless networks by network name. An attacker with a scanning tool can identify wireless network names and deploy a rogue wireless access point with the same name as one of the previously connected wireless networks. 5 With unauthorized access to an agency network, an attacker is capable of destroying, modifying, or copying sensitive information. Target Attacker 3 While still connected to the agency network, the target laptop automatically connects to the rogue wireless access point, creating a dual connection, i.e., the target laptop has both an active wired and wireless connection. Wireless Hard-wired Agency core wired network 4 While connected to the rogue wireless access point, the target laptop can be probed and vulnerabilities exploited that could provide an attacker with access to the agency network through the target laptop. Source: GAO; Art Explosion (images). Wireless man-in-the-middle attacks (see fig. 4) use an insecure laptop configuration to intercept or alter information transmitted wirelessly between the target laptop and a wireless access point. Page 10

15 Figure 4: Wireless Man-in-the-Middle Attack Scenario 1 While located between a target laptop and a legitimate wireless access point, an attacker impersonates the legitimate access point. Attacker Target 2 The target laptop unintentionally connects to the rogue wireless access point, which acts as a man-in-the-middle, reading and then relaying information to the legitimate access point. 3 The rogue wireless access point can then intercept network communications between the target laptop and the legitimate access point. Legitimate wireless access point 4 As a result, the attacker could read and modify sensitive data in transmission, or inject malicious code to infect the target laptop. Source: GAO; Art Explosion (images). Attacks on smartphones (see fig. 5) can involve stealing data or injecting malicious code using phone storage cards. Figure 5: Smartphone Data Attack Scenario 1 2 Smartphones have the capability to store data on removable storage cards. If this capability is not disabled and the target phone is left unattended, an attacker could replace the storage card with a card with malicious code or simply remove the storage card with its contents that could include sensitive information. Source: GAO. Page 11

16 Federal Laws and Guidelines Provide a Framework for Wireless Security Policies The Federal Information Security Management Act (FISMA) of 2002 requires each agency to develop, document, and implement an agencywide information security program to provide security for the data and information systems that support the agency s operations and assets. 8 Significant amounts of agency data are stored on and transmitted through wireless devices and networks. Wireless technologies are often important parts of the information systems that support the agency s operations and assets. Accordingly, wireless technologies are typically encompassed by agency information security programs required under FISMA. FISMA also assigns additional information security responsibilities for the Office of Management and Budget (OMB) and NIST. FISMA assigns OMB specific responsibilities, including overseeing the implementation of policies, standards, and guidelines on information security, including ensuring timely agency adoption of and compliance with standards; requiring agencies to identify and provide information security protections commensurate with the risk and magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency, or information systems used or operated by or on behalf of an agency; overseeing agency compliance with FISMA requirements; reviewing at least annually, and approving or disapproving, agency information security programs; and annual reporting to Congress on agency compliance with the requirements of FISMA, including significant deficiencies in agency information security practices and planned remedial action to address such deficiencies. In a July 2010 memo, OMB directed the Department of Homeland Security (DHS) to exercise primary responsibility within the executive branch for the operational aspects of federal agency cybersecurity with respect to the federal information systems that fall within FISMA. 9 According to the 8 44 U.S.C. 3544(b). 9 OMB, Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (Washington, D.C: July 6, 2010). Page 12

17 memo, DHS is to oversee the implementation of and reporting on information security policies and guidance in federal agencies, oversee agency compliance with FISMA, and annually review agency cybersecurity programs. OMB will continue to report annually to Congress on the progress of agencies compliance with FISMA. According to the Director of Federal Network Security the DHS official responsible for many of DHS s newly assigned FISMA-related activities DHS is beginning its oversight activities through the annual FISMA reporting process that federal agencies are required to follow. The official stated that the department does not currently have any wireless-securityspecific activities under way, but that the department is planning future activities that may address wireless security, including compliance audits and an architecture document. Under FISMA, NIST is responsible for developing standards and guidelines that include minimum information security requirements. Table 2 describes NIST Special Publications (SP) that include guidelines intended to secure wireless technologies. Table 2: Wireless Security Guidelines Identified in NIST Guidelines NIST SP Purpose , Guide to Securing Legacy IEEE Wireless Provides guidelines to organizations in securing their legacy IEEE Networks a WLAN that cannot use the IEEE i standard , Recommended Security Controls for Federal Information Systems and Organizations b , Guide to Intrusion Detection and Prevention Systems c , Establishing Wireless Robust Security Networks: A Guide to IEEE i e Provides guidelines for selecting and specifying security controls for information systems that include wireless access and access controls for mobile devices. Provides a basis for designing, implementing, configuring, securing, monitoring, and maintaining intrusion detection and prevention systems including a wireless intrusion detection system. d Assists organizations in understanding, selecting, and implementing technologies based on IEEE i , Guidelines on Cell Phone Forensics f Provides basic information on the preservation, acquisition, examination, analysis, and reporting of digital evidence on cell phones, relevant to law enforcement, incident response, and other types of investigations , User s Guide to Securing External Devices for Telework and Remote Access g Provides guidelines for securing external devices used for telework including wireless home networks and wireless-enabled personal computers. Page 13

18 NIST SP , Recommendation for EAP Methods Used in Wireless Network Access Authentication h Purpose Formalizes a set of core security requirements for extensible authentication protocol (EAP) i for wireless access authentication and key establishment , Guide to Bluetooth Security j Provides information on the security capabilities of Bluetooth and provides recommendations to secure Bluetooth devices effectively , Guidelines on Cell Phone and PDA Security k Provides an overview of cell phone and personal digital assistant (PDA) devices in use today and provides safeguards for securing these devices. Source: GAO analysis of NIST data. a NIST, Guide to Securing Legacy IEEE Wireless Networks, SP Revision 1 (Gaithersburg, MD: July 2008). b NIST, Recommended Security Controls for Federal Information Systems and Organizations, SP Revision 3 (Gaithersburg, MD: August 2009). c NIST, Guide to Intrusion Detection and Prevention Systems (IDPS), SP (Gaithersburg, MD: February 2007). d An intrusion detection system monitors the events occurring in a computer system or network and analyzes them for signs of possible incidents. e NIST, Establishing Wireless Robust Security Networks: A Guide to IEEE i, SP (Gaithersburg, MD: February 2007). f NIST, Guidelines on Cell Phone Forensics, SP (Gaithersburg, MD: May 2007). g NIST, User s Guide to Securing External Devices for Telework and Remote Access, SP (Gaithersburg, MD: November 2007). h NIST, Recommendation for EAP Methods Used in Wireless Network Access Authentication, SP (Gaithersburg, MD: September 2009). i EAP supports multiple authentication methods used when connecting a computer to the Internet. j NIST, Guide to Bluetooth Security, SP (Gaithersburg, MD: September 2008). k NIST, Guidelines on Cell Phone and PDA Security, SP (Gaithersburg, MD: October 2008). NIST is also responsible for administering the United States Configuration Baseline, which is an initiative to create security configuration baselines for information technology (IT) products deployed across federal agencies. In addition to NIST guidelines, other federal agencies have developed guidance for securing wireless technologies. For example, the Department of Defense s Defense Information Systems Agency (DISA) has created a series of security technical implementation guides that address general purpose or multiuse technologies. These guides serve as configuration standards for the Department of Defense s wireless devices and systems. In addition, DISA has made these guides available for other federal agencies to provide them with a baseline level of security. Page 14

19 GAO Has Previously Recommended Improvements to Wireless Network Security Guidance In 2005, we reported that federal agencies lacked key controls for securing wireless networks. 10 We recommended that the Director of OMB instruct federal agencies to ensure that wireless network security is incorporated into their agencywide information security programs, in accordance with FISMA. Specifically, we recommended that agencywide security programs should include the following security controls. Robust policies for authorizing the use of the wireless networks, identifying requirements, and establishing security controls for wirelessenabled devices in accordance with NIST guidelines. Security configuration requirements for wireless devices that include security tools, such as encryption, authentication, VPN, and firewalls; placement and strength of wireless access points to minimize signal leakage; and physical protection of wireless-enabled devices. Comprehensive monitoring programs, including the use of tools such as site surveys and intrusion detection systems to detect signal leakage; ensure compliance with configuration requirements; ensure only authorized access and use of wireless networks; and identify unauthorized wireless-enabled devices and activities in the agency s facilities. Wireless security training for employees and contractors. In response to our recommendations, OMB has instructed federal agencies to ensure network security is incorporated into their agencywide network security program through the use of NIST guidelines. In addition, OMB s annual FISMA reporting requirements state that agencies must follow NIST standards and guidelines for non-national security programs and information systems. Since our report was issued, NIST has released 10 GAO Page 15

20 guidelines that address the items identified in our recommendations. These guidelines include NIST SP , Guide to Securing Legacy IEEE Wireless Networks; NIST SP , Recommended Security Controls for Federal Information Systems and Organizations; and NIST SP , Establishing Wireless Robust Security Networks: A Guide to IEEE i (see table 3). Table 3: Guidelines in NIST Publications Addressing Recommendations from GAO Recommendation NIST SP NIST SP NIST SP Area Establish policies X X X Establishing wireless networking security policies, such as infrastructure and client device security; criteria for identifying and implementing security requirements; access controls for portable and mobile devices; and establishing and maintaining robust security for wireless local area networks. Configuration requirements include security tools Configuration requirements address access points Configuration requirements include physical protection Monitoring programs include tools to detect signal leakage Monitoring programs include tools to ensure configuration compliance Monitoring programs include tools to ensure access is authorized Monitoring programs include tools to identify unauthorized access X X Configuring wireless client device security tools and the use of security tools such as personal firewalls, host-based intrusion detection and prevention systems for the protection of wireless clients; the use of VPNs as an alternative method of achieving confidentiality and integrity protection; and security protocols. X Establishing access point configuration and awareness of access point security concerns, including signal boundary considerations. X X Ensuring physical protection of wireless devices such as usage restrictions and implementation guidance for organization-controlled portable and mobile devices. X Determining criteria for conducting site surveys and the use of appropriate wall-mounted antennas to minimize signal leakage. X X Using wireless intrusion detection and prevention systems to determine misconfigured clients and using policy driven software solutions to ensure client devices and users comply with defined WLAN policies. X X X Using wireless intrusion detection and prevention systems to determine whether unauthorized users or devices are attempting to access, have already accessed, or have compromised the WLAN; and performing regular audits using wireless sniffers and other tools to determine whether wireless products are transmitting correctly and on the correct channels. X X X Using wireless intrusion detection and prevention systems to detect suspicious or unauthorized activity and completing site surveys to discover any sources of radio interference. Security training X X X Establishing wireless security awareness and training for employees and contractors to ensure good security practices and prevent inadvertent or malicious intrusions into an organization s information systems. Source: GAO analysis of NIST data. Page 16